Networking Single Sign On SSO with IIS on Windows

June 29, 2024 at 4:56 AM

On this page we will show you how to configure your Windows and Internet Information Server (IIS) environment in order to use NADI with Kerberos SSO.

If you require help in setting up your Next Active Directory Integration installation we offer you consultation services and support.
Get in touch!

Enable Windows Authentication

  1. Open the IIS Manager and select the site under which your WordPress environment runs. In our case we use the Default Web Site.
  2. Double click on Authentication:

iis_default.png

Now you have to configure the authentication settings of your site.

  1. Disable Anonymous Authentication
  2. Enable Windows Authentication
  3. With Windows Authentication selected, click on the Providers link in the right Action panel
If the Windows Authentication entry is missing, you have to add the feature by using Windows' Server Manager.
You can enable it below Server Roles > Web Server (IIS) > Web Server > Security > Windows Authentication.

iis_authentication.png

In the now appearing window, add the providers as shown in the following screenshot. The order has to be Negotiate over NTLM! Negotiate equals to use Kerberos authentication.

iis_provider.png

Close the window by pressing OK.

  1. Select your site on the left panel.
  2. Double click on Configuration Editor:

iis_configuration_manager.png

Now select windowsAuthentication from the dropdown menu:

iis_configuration_editor_section.png

Change useKernelMode to True and save the settings by pressing the Apply button in the upper right corner:

iis_configuration_editor_windows_authentication_details.png

Restart the IIS.

Configure SPNs

In our example we imagine the following scenario:

Host alias (${HOST_ALIAS}) Domain FQDN host (${FQDN_HOST})
nadi-ts test.ad nadi-ts.test.ad

  1. Open a console and type in hostname to see the name (${MACHINE_NAME}) of your machine.

    The ${MACHINE_NAME} can be equal to the ${HOST_ALIAS}, but in most cases it isn't.

  2. Now type the following to receive a list of all SPNs registered for your machine

     setspn -L ${MACHINE_NAME}

    This should output a list like



  3. You now have to add a HOST and an http SPN for the address of your WordPress environment which has to equal the machines FQDN. To do this type the following commands:

     setspn -a HOST/${FQDN_HOST} ${MACHINE_NAME}
 setspn -a http/${FQDN_HOST} ${MACHINE_NAME}

  4. Check if the SPNs were added successfully by typing

     setspn -L ${MACHINE_NAME}



If your hostname contains a port (e.g. nadi-ts.test.ad:81/wordpress) do not add that port to the SPNs. This is only required for older environments up to Windows 7 and Windows Server 2008.

Configure browsers

You have to configure the browsers you are using.

Test authentication

You can use Fiddler to test the Kerberos configuration.

  1. Start Fiddler
  2. Open your browser and go your WordPress instance for which have previously enabled Kerberos
  3. In Fiddler select the last request from the list. In the right panel below Inspectors > Headers > Auth you should see the message
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply

fiddler_iis_sso.png

If you have been successfully logged in into your WordPress environment you should find the following log message in logs/nadi-debug.log:

sso_success.png

If you require help in setting up your Next Active Directory Integration installation we offer you consultation services and support.
Get in touch!